Benefits of SCCM reporting are obvious. Some organisations depend more on SCCM reporting than others. Dataset used for SCCM reporting is the SCCM Database.If there are multiple reports being run , written and tested while there is a lot of client activity can cause database performance to degrade.

Some organisations prefer that SCCM reports be designed , coded and tested on a separate DB server and only the final report be imported to live SQL reporting server that connects to SCCM production database.

In order to achieve this you need a separate SQL server preferably running same version of SQL in the domain.

Welcome scree tell you that you are about to create a MSP file that will store all the customization

Provide the install location and Origination Name

Enter the product Key

Accept the licence agreement.

Set display level to none. For enterprise use display level none is recommended because the install then does not wait for any user input. However if display level none is selected it is also recommended that users be made aware to close all the open office files.

When display level none is selected completion notice and No cancel does not apply so does not matter if they are checked or note.

Suppress modal will not show any warnings if any files are open or if there are any errors it wont pop up on the screen.

Next is set feature installation states – and remove Microsoft access , Microsoft Publisher, Microsoft infopath, Microsoft Lync. (Later in the post I will verify if these components are actually not installed)

Click on File and save as , Save this to updates folder in office 2013 source files folder

I named the file Office2012setup.msp . This completes the msp creation process

XML documents are written in the form or tree with nodes . Xpath query provides a way to query the data in XML files . Data is structured in nodes and using Xpath syntax is easy to obtain the data from XML document.

I created a sample XML document to use for this post . You can download it or use it or create your own.

Here is the link to download a sample XML file that I am using in the post . For testing purposes the test machines have a folder in c drive ( c:\scratch) and XML file is copied to c:\scratch on all the machines .

Go to Assets and compliance compliance settings , configuration items right click and new configuration item

Provide the name CI – Xpath Query , leave the configuration item as Windows and click next

Select the operating systems where this setting will apply and click next

click on new to create the configuration item

Type in the name of XpathQuery , From setting type select X path query and data type as string.

Path – c:\scratch

File Name CI-Xpath.xml ( This file can be downloaded from link provided above)

in Xpath Query type in

/Library/Address/City

Click Apply OK ,

Click next to go to compliance rules

Click on new to create a compliance rule

Provide the name of compliance rule and click on browse

Select the configuration item just created in previous step and click on select

In rule type select value

and type in equals “Hidden Valley”

Click Next

Review all the settings , If changes are needed go back to previous screen

SCCM is working its magic 🙂

Once configuration item is created , Next step is to create configuration baseline

Go to configuration baseline , right click and select create a new configuration baseline

Type in the name of configuration item CI – WQL Query , Leave the configuration item type as Windows and click next

Select the Operating systems where this configuration item will apply and click next

Click on New

Type the name of settings CI – WQL Query , From settings select WQL Query and data type as string

Namespace root\cimv2 ( as discussed in the beginning of the post )

Class – Win32_ service ( as discussed in the WQL query above)

Property – Name ( as discussed in the WQL query above)

and in where clause type in startmode=’auto’

Click Apply OK

Click next to go compliance rules

Click on New to create a compliance rule

Provide the name of the rule

Click on browse and select the configuration item created just above and click on select

in the rule type select value

in the rule type in

CI – WQL Query equals wuauserv , Click on OK

Click next

This screen provides the summary of settings , if any changes are needed you can go back and change

SCCM is working its magic now 🙂

This completes the created of configuration item .

In order to deploy this configuration item to the machines , I need to create a configuration baseline .

Go to Configuration baseline and right click and select create configuration baseline

Provide the name of Configuration baseline CB – WQL Query , Click on Add and from drop down select configuration item

Select the configuration item and click OK

Click OK to finish creating the configuration baseline

Next step is to create deployment for this configuration baseline

Select the configuration baseline , right click and select deploy

Select the configuration baseline as CB – WQL Query

select generate and alert mention the threshold where you will like to see the alert

Provide the collection name

Set the evaluation schedule to every 3 hours for lab , For production this should be once or twice a week . As compliance evaluation is CPU intensive task and click on OK to finish creating the deployment

Go to the client ( Windows 8.1 ) in this case

Click on configuration tab and select the configuration baseline and click on evaluate .

Click on view report and as expected this machine is non compliant as start mode is manual and configuration item is looking for startmode = auto

SQL compliance items can be used to query different elements for SQL servers in the environment . This compliance settings is particular useful if there are lot of SQL servers in production and those servers needs to adhere to certain organisational standards

Needless to say that this compliance setting is designed to be run only on SQL servers. I am going to do a basic checking for SQL version in this post .

You will also need a collection with SQL servers or a server to test the settings .

To create configuration item , Go to SCCM console , Configuration items and right click and new configuration item .

Assign a name to configuration item CI – SQL Version

Select the operating system where this setting will apply and click next

Click on New to create the configuration item

Provide the name to the setting , From settings type select SQL query and type string

Now to form an SQL query that is going to run on the computers select the database as master and for column select version

type in

Select @@VERSION as version;

and apply OK

Click next to go to compliance rule

Click on new to create a compliance rule for SQL version

Type in the compliance rule name and click on browse

Select the SQLquery compliance item created in previous step and click on select

From rule type select value if not already select

Now next step is where the query will be evaluated and if the the version of SQL begins with Microsoft SQL server 2012 SP1 and click ok

Click next to finish creating the compliance rules

This page provides the summary for compliance item and rules , if changes need to made you can go back and make changes .

Click next

SCCM is working its magic.

The screen provides the summary of configuration item

Next step is to create configuration baseline before the setting is applied to the SQL servers

Right click on configuration baseline and select create configuration baseline

Provide the name of the configuration baseline CB – SQL Query – version , Click on add and select configuration items from drop down.

select the configuration item and click OK

Click OK to complete the creation of configuration baseline

Now I am ready to deploy this configuration baseline to a collection . select the configuration baseline and select deploy

Select the configuration baselines

select generate alert if compliance is below certain thresh hold

select the SQL collection name and for schedule change it to run every 3 hours for lab or test setup and click OK

To verify the settings , Go to a SQL server where this configuration baseline is applied

In part 8 I am going to use a script for evaluating compliance on computers . I am going to keep focus on compliance item only therefore using a basic power shell script . It is also possible to use one script to evaluate the compliance of a machine and second script to remediate non compliant machines.

In post I am going to discuss how to a script to evaluate compliance on a machine

Script first , The script that I am using is a basic script that checks state of Windows update service . It is a one line power shell script .

Script running on a Windows 8 machine

get-service -Name wuauserv | select-object -ExpandProperty “Status”

When this script is run result is stopped .

When this script is run on a Windows 7 machine

get-service -Name wuauserv | select-object -ExpandProperty “Status”

When this script is run result is running

Based on this I know the outcome of script would differ depending on which OS the script is run. (By default windows update service is not running on Windows 8 and is running on Windows 7)

Now since that is out of the way , Lets get back to compliance items in SCCM

Go to Assets and Compliance , Compliance settings configuration items , right click and select Create a new configuration item

Provide the name CI – Script – Windows update service check , Leave the configuration item type as windows and press next

Select the OS where this configuration item will be applied and click next

To create configuration item click new

Type in the name CI – Script , From drop down of settings type select script and data type as string .

There are two options to specify where a script would reside

Discovery Script

Remediation Script

I am going to place my script in discovery script since I am going to evaluate compliance , Click on add script

Select script language as Windows power shell and type in the script as explained in the beginning of the post and click ok

Click next

Now compliance rule needs to be created , This rule will determine how the compliance is reported once the script runs on a computer ( Based on how I define the compliance a machine could be either compliant or non compliant ).

Click on new

Type in the compliance rule name and click on browse

Select the name of the configuration setting that I just created , If not already selected and then click on select

In the Rule Type select value and then select if the value returned is running .

Now as discussed in the beginning if it Windows 7 the value will be running and if it Windows 8 value will be stopped (By default) . So if this setting is applied to a collection of windows 8 and Windows 7 machines , Windows 7 machines will be compliant and windows 8 won’t

click OK

Click next

This screen presents the summary of the settings , If any changes are needed then you can go back and make changes here . Click next

SCCM is working its magic here 🙂

And configuration item is ready .

Next step is to create configuration baseline . Right click Configuration baseline and create configuration baseline.

Type the name of configuration baseline CB – Script – Window update service . Click on add and select configuration item from drop down

Select the configuration item just created and click ok . This would finish creating configuration baseline

Select all the operating system version to which this setting will apply .

Now click on new to configure the configuration item

Specify the name for setting CI-RegistryKey .

From setting type drop down select registry key

For hive name select HKEY_LOCAL_MACHINE from drop down and then click on browse to go the actual registry key

If the registry key exists on the server where are you configuring the setting browse to the key and select . Else on the computer name field type in \\Computer_name and browse to registry key . Also ensure remote registry service is running

Now ensure the radio button – This key must exist on client devices is selected . Click OK

Ensure that key name is selected and click ok

Next step is to define the compliance rule, Compliance rule will determine how this setting is evaluated . Click on new

Provide the name for Compliance rule and click on browse to select the compliance settings

Select CI-RegistyKey and click on select

Now select rule type as Existential from drop down

And ensure Registry key must exist on the client devices click ok

Review the compliance settings and compliance rule, if everything looks ok click next

IIS Metabase compliance item can look through IIS Server metabase and report compliance based on conditions defined in compliance rules.

There are changes made to IIS Metabase after IIS 6.0 and some of the functionality is moved to xml based configuration files.

If working with servers Windows 2008 and higher (which have versions of IIS greater than 6.0) there are certain prerequisites that need to completed.

On IIS servers running version greater than IIS 6.0 install IIS 6 metabase compatibility from server manager program and features

Download IIS 6.0 resource kit from here and install it on IIS servers to navigate and exlpore the IIS metabase.

Double click on resource kit installer

Click Next

Accept license agreement

Provide user name and company name and click next

Select custom and click next

Select the location or choose default location of install

Select Metabase explorer 1.6

Click Next

Click on finish

Open IIS metabase explorer as highlighted in the picture below . I am going to check the compliance for PID 3001 and if the path of the website on a webserver is c:\inetpub\wwwroot . If the path is c:\inetpub\wwwroot then the webserver is compliant

Once Configuration Baseline is created , I am ready to deploy it to Web servers collections . If you have not already created a collection until now , Create the collection first which has webs servers to evaluate IIS metabase compliance.

Right click the configuration baseline and select deploy

Make sure CB -IIS Metabase Settings is selected .

Select generate alert

Click on Browse and point it to web servers collections

Set evaluation schedule to run every three hours and click ok

Go to web server where the compliance is evaluated , Go to configuration manager client properties in control panel and select configurations tab . Click on evaluate to check if the machine in compliant or not

Click on view report to see detailed status.

This means that on server LABSERV1 default website has path c:\inetpub\wwwroot .

Browse to device collection to evaluate the compliance for. Change the schedule to occur every 2 hours . For production large network you may want to set this to once a week or once every few days. Click OK .

Go to client computer to review compliance settings is applied to device . By going to control panel , click on configuration manager client and selecting configurations tab.

Click on view report to see expanded results .

This machine has Microsoft.visualC assembly and is therefore compliant .

Compliance Settings in SCCM 2012 can be used to evaluate a setting on devices and or users objects which are present in SCCM by targeting to devices or user collections.

To evaluate compliance , Configuration baselines are deployed to collections. Configuration baselines are made up of Configuration items and or software updates . Configuration items are further made up of configuration settings .

In these posts I am going to cover Windows ( Operating system) Category since I don’t have Mobile OS and Mac OS in my lab.

Configuration settings structure

Chart below explains how Configuration items and Configuration baselines works together to form Compliance settings

Configuration Settings for Windows – Section 1

There are total 10 configuration settings available to use in Windows Configurations items as outlined by red line in the picture above , But the scope of what can be achieved is great. Understanding these configuration settings is very important to effectively use compliance settings.

I am going to explain each of these settings with an example .

One or more of these configuration settings form a Configuration item.

Picture below show these windows settings available to use as seen in SCCM

Configuration Items – Section 2

There are 3 types of Configuration items as show in section 2 + Software updates

In the post following this one I am going to cover Windows Configuration item from section 2 .

Note – Though software Update is a configuration settings it cannot be configured from level 1 and can only be added from level 2 up directly to configuration baseline.

Configuration Baseline – Section 3

Configuration baseline is group which could consist of

one configuration item

One or more configuration item

configuration items and software update

software update only

SCCM Collections – Section 4

Configuration baselines are applied to SCCM collections and that is where compliance is evaluated . One collection can have multiple configuration baselines applied at one point in time.

Compliance can be evaluated for device collections or user collections.

From next post I am going to start configuring these settings .

Enable Compliance from Device policies

Ensure Compliance evaluation on client is set to Yes . I changed the compliance evaluation schedule to every 3 hours . However based on an organization requirement it could either default once a week or higher.

Compliance evaluation has some implications for clients activity therefore very frequent compliance evaluations can slow down clients.

In Part 6 I explained New Computer Install , Post Install and Applications Install Group

Part 7 – Copy logs Group

This group is set to continue on error because if there any error in copying logs , It will appear as if entire task sequence has failed. However it is up to you if you think copy logs is critical then uncheck continue on error.

Next Sub Group is OSD Failed.

This sub group only runs if the if there is an error in steps before Copy Logs group. The is done by setting a task sequence variable as a condition

If _SMSTSLastActionSucceeded is false then only this sub group “OSD Failed” runs . Else the subgroup is skipped

If the task sequence variable condition is true then next step is

Connect to OSD Logs Folder . This is a shared folder on the server (in my case SCCM Server) and everyone has change permissions to this folder.

HOWEVER ..I was not able to connect to this folder if I used any other account other than Domain admin account.I don’t why yet.

Next step is Delete Folder if exists

This step has a checked Continue on error . This is done because if the folder for machine does not exist this step will fail because there is nothing to delete.

However if the folder with machine name exists

Command as shown in screen below runs and deletes the folder

Next create Folder to copy logs

If this step is run under sub group OSD Successful the folder will be Z:\OSD_Success rest everything will be same.

Next step is Copy Logs

If this step is run under sub group OSD Successful the folder will be Z:\OSD_Success rest everything will be same.

Next Sub Group is OSD Successful

This sub group only runs if the if all the steps before Copy Logs group complete. The is done by setting a task sequence variable as a condition

If _SMSTSLastActionSucceeded is True then only this sub group “OSD Successful” runs . Else the subgroup is skipped

All the steps under OSD Successful are same as under OSD Failed described above. Any differences in path is noted in steps above.

Part 6 – New Computer Install , Post Install and Applications Install Group

New Computer Group – This Group only runs if the task sequence variable OSDOSConfig is set to new computer else this group is skipped. The task sequence variable is set when new computer is selected in HTA.

Next step is Use toolkit package

We need to run this because the next step is validate which runs a scripts , Validate script is part of MDT Tool kit package and needs to downloaded to computer before running validate step.

Next step is validate

This step runs script name ZTIvalidate.wsf . This script will check if the hardware meets the minimum requirements of windows 7 . You can change these settings if needed.

Next Step is Apply Operating System

This step will install the OS onto a new computer .

Next Step is Post Install . This group will for both new and refresh computers

Next step is Use tool kit package .

Next step is Gather , This runs MDT script ZTIGather.wsf . This script reads the envirnoment and sets task sequence variable values and run the rules set in CustomSettings.ini files .

If you dont use any steps in customsettings.ini you can also select first option “Gather only local data (do not process rules)

When an application is selected for install , It sets a task sequence variable as explained in Part 1

In the example below if the task sequence variable is set to true then the application MS XML SP1 will be installed else this install will be skipped . The task sequence variable is set when the application is selected from HTA screen.

for MS XML SP1 task sequence variable is OSDXMLnotepad , If checked in HTA its stored value is true.

This step is needed task sequence to check if machine is in WinPE or not . If not than this step will boot the machine in WinPE using variable _SMSTSInWinPE

If the variable _SMSTSInWinPE is false then this step will run.

We need to run this step in order to do two things

First – To display HTA and Second to backup the computer if this is reinstall.

Offline backup has one advantage that no user is logged in and no processes are running .So likely hood of USMT failing is less .

Next Step Is Display HTA

As shown above package HTA1 just contains one file “SCCMDiet.hta” . It is a run command line step of task sequence. Now at this point the task sequence will be in WinPE and HTA will display.

From here on task sequence will run or skip steps based on selections made in HTA

Backup User data

Backup user data step will run if the task sequence variable OSDOSConfig is set to reinstall.

If the above condition evaluates to be true then next step is to Set local state location.

Next step defines how backup will be done. With USMT 5.0 it has become very simple to do hard link backup in WinPE

If you select the options as displayed in the screen above you will be able to capture User data in WinPE. This step is using USMT v1 package created earlier. This USMT package has extra wallpaper.xml in it.

We need to specify wallpaper.xml file in order for USMT to migrate the wallpaper.

Select files and then add name of all three files.

After backup is complete next step is to install operating system. This group will run if OSDOSConfig task sequence variable is set to reinstall. ( This variable gets set while making OS selection in HTA)

As seen below , 1st group is set to continue on error. What this means is that if task sequence fails at any step before 2nd group it will not abort the task sequence instead it will go to 2nd group Copy logs.

Partition if necessary

This is group as-is from MDT standard client task sequence . This group evaluates few conditions before executing next step.

As you can see from screen capture above All the conditions need to be true for this step to run

_SMSTSInWinPE equals TRUE – This is first condition that is processed , If the task sequence is the WinPE or not , If not in WinPE this step will be skipped.

_SMSTSMedia Type not equals OEMMedia – If the task sequence variable _SMSTSMediaType = OEMMedia this step will be skipped and disk will not be formatted. Because if prestage media is present then disk is ready and does not need to formatted. When a prestage media ( wim file) is created it has task sequence variable _SMSTSMediaType set to OEMMedia.

Last condition has is being evaluated is a WMI query and it has 3 conditions

Windows RE Tools – This partition should be separate from windows partition . No drive letter is assigned to this partition

This partition has two main functions

Support fail over of windows partitions

Support Booting from Bit locked partitions

EFI – EFI is the system partition of UEFI based computers. Computer boots from this partition . It is formatted with FAT32 . This partition is managed by Operating system and should not contain any other files.

MSR – Microsoft reserved partition – MSR partition is used for drive management. There is one MSR partition for each drive.

OSDisk – It is where operating system files reside along with data.

Format and partition

This step runs if task sequence variable _SMSTSBootUEFI is not true

This step is for computers with BIOS . It will install the OS in the drive. Formatted with NTFS

By default MDT standard client task sequence assigns it a task sequence variable to the drive named OSDTemporaryDrive. I removed the OSDTemporaryDrive and select next formatted partition from the list.

Download the zip file for the task sequence as mentioned in part 1 and then go to configuration manager console

Go to Software library , Operating system deployment , Task sequence

Click on Import task sequence and ignore the dependencies

Open the task sequence and you will see following steps

These are ALL the steps in the task sequence. I have highlighted what each group does . I will explain each group in next post . At this time you time you resolve package dependencies before moving forward.

Some groups use task sequence variables created and set by HTA . Some groups use task sequence variables set by MDT and SCCM .

Task Sequence (You can download full task sequence from here), But I encourage you to create a new MDT standard client task sequence then modify it or try both methods

If you are importing the task sequence just ignore dependencies and import.

Software packages as shown in HTA (Create at least couple if you want to see task sequence variables in action)

PART 1 – Reviewing HTA

In part 1 I am going to review the HTA that I will be using in the task sequence and looking at the code inside HTA to better understand what is in it.

Download the HTA file and open it , It will pop up and error about task sequence environment and that is normal (Since HTA in not in WinPE ) .

HTA looks like shown above.

First field is Computer Name , If the computer already exists in SCCM and is known computer name is automatically shown in the computer name field

OS Selection – This is a radio type selection and you can select new computer or reinstall. If you select new computer it will format the HDD and install Windows 7 x64

If you select reinstall , it will backup user data from WinPE using hardlinking and reinstall Windows 7 x64

Select software to install

If you check box , respective software will be installed . This is done by setting a task sequence variable explained shortly down below in the this post

Clicking on finish will close the HTA when in WinPE

Inside HTA

Now open with Notepad++ or any other advanced notepad software

In HTA you will notice it has two sections , First section is script which dictates the logic when selections are made within HTA . Second section is HTML which dictates show code is displayed when HTA runs.

As you see above one section of code is for hiding the task sequence progress bar when HTA is running.

Section below is code for setting computer name.

The OS config sections sets a task sequence variable , Task sequence variable name is “OSDOSConfig” and also tells what the value of this variable will be based on selection , Which is explained further down in the post

Next section Apps sets the task sequence variable for each application , For application SevenZip it sets the task sequence variable “OSD7zip” . It also sets value of this Task Sequence variable to be “true” if it is checked in HTA

Shown above is the HTML section of HTA , First section defines what computer field looks like and how many characters it can hold

OS configuration sets the value of Task sequence variable OSDOSConfig to either NewComputer or Reinstall based upon what selection is made

Software selection sections shows that it is a checkbox and selecting the check box for SevenZip will set a task sequence variable OSD7Zip to be true.

Task sequence variables can be used as conditions to either run a step in task sequence or skip it. I will detail that in a later post.

This is very short overview of what is inside HTA . Thanks again to Nick for providing HTA .

Copy the HTA to your sources folder and create a package without any program and distribute it to distribution points.

In Part-4 of installing MBAM 2.5, We installed and configured MBAM database and reports

In Part-5 of installing MBAM 2.5 , We are going to install and configure MBAM Web services and administration portal.

Before starting this configuration , Change the port of default website to other than 80, If you wish to use 80 for mbam.

Step1 :

On MBAM server (SQL01) , Go to programs and launch MBAM server configuration and click on Add new features

Select Administration and monitoring website and Self-service portal and click next

If all the prerequisites are met , select next

On the configure Web Applications page , Since I am not using PKI , I checked the “Do not use certificate) button.

Then add server name and suppy the web application pool account . This account needs to be of DB read write group.

For more information on user and groups review part-2 of installing MBAM 2.5

Scrolling down on Configure Web Applications page

Specify Server name for Compliance and audit database and Recovery database .

Scrolling down on Configure Web application page

Specify MBAM advanced helpdesk group

Specify MBAM helpdesk group

Make sure System center integration box is checked , Else it compliance reports will be installed again on web administration server . And we don’t want that because compliance reports are already installed on SCCM Server

Provide reporting services role group name

URL of reporting services installed on MBAM Server . (This in my case is different than SCCM reporting services) I have two instances of reporting services running . one on SCCM server and one on MBAM server.